on ssl tls security encryption

Generating SSL/TLS keys

The goal of this post is to give a quick overview of how I generate SSL/TLS keys and talk about why I do things a certain way.

Disclaimer

I am aware that OpenSSL has a lot of security problems and will hopefully be replaced by something like LibreSSL soon, but till then it is the de facto standard.

First off we start by generating a private SSL/TLS key using openssl.

openssl genrsa -aes256 -out server.key 4096

The file name after the -out switch will be where your new private key will be stored. The -aes256 switch defines the encryption used to protect the key and while I am not sure if that is very important, the number 4096 is important. It defines the length of the RSA key, which is used for the session key exchange and 2048 bit is currently the minimum and going with 4096 bit is the better and saver option.

You will realize that you have to provide a password that is used to protect your private key. This is good, but on a server it means that everytime you start or restart a service using this key you will be prompted for your password. While it is save and doable I would recommend to remove the password protection. This, however, means that your key can be use if it is lost (or handed out by the Heartbleed bug). This is what I do to remove the password from my private key

openssl rsa -in server.key -out server.pem

The private key I use from now on is server.pem. In the next step I will use it to create a Certificate Signing Request (CSR). A CSR is used to ask a Certification Authority (CA) to sign the public key. This allows browsers and other software to trust my key since they already trust the CA. I will not go into detail of how the signing works. I sign my keys via CaCert since it is for free and they are based on a web of trust. Unfortunately, no browser currently includes their root certificate and until this changes you will have to import the root cert yourself into your browser or OS key store.

openssl req -new -sha256 -key server.pem -out server-name.csr

Use the content of the server-name.csr file during the certification process. Once you are done you will receive a signed public key from the CA. Put the key into a file called something like server-name.cert.

Note that is use -sha256 to use the SHA256 hash algorithm instead of the default SHA1 algorithm. I do this since SHA1 isn't exactly secure anymore and there isn't really a good argument to use the weaker algorithm over the better one ;)

Hope this post helps you to create a private key, remove the password, and create a CSR.